From: Victor Stinner <vstinner@python.org>
Date: Sun, 26 Jun 2022 08:43:21 +0000 (+0200)
Subject: gh-94172: urllib.request avoids deprecated key_file/cert_file (#94232)
X-Git-Tag: v3.12.0a1~1110
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=37118fa2e3af133b0cf4935b008c7be7f5d07f68;p=thirdparty%2FPython%2Fcpython.git

gh-94172: urllib.request avoids deprecated key_file/cert_file (#94232)

The urllib.request module no longer uses the deprecated key_file and
cert_file parameter of the http.client module.
---

diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index 7878daacb52d..1761e951e624 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -1990,9 +1990,17 @@ class URLopener:
 
     if _have_ssl:
         def _https_connection(self, host):
-            return http.client.HTTPSConnection(host,
-                                           key_file=self.key_file,
-                                           cert_file=self.cert_file)
+            if self.key_file or self.cert_file:
+                http_version = http.client.HTTPSConnection._http_vsn
+                context = http.client._create_https_context(http_version)
+                context.load_cert_chain(self.cert_file, self.key_file)
+                # cert and key file means the user wants to authenticate.
+                # enable TLS 1.3 PHA implicitly even for custom contexts.
+                if context.post_handshake_auth is not None:
+                    context.post_handshake_auth = True
+            else:
+                context = None
+            return http.client.HTTPSConnection(host, context=context)
 
         def open_https(self, url, data=None):
             """Use HTTPS protocol."""